The Epic Snake: Unraveling the mysteries of the Turla cyber-espionage campaign

Turla, also known as Snake or Uroburos is one of the most sophisticated
ongoing cyber-espionage campaigns. When the first research on
Turla/Snake/Uroburos was published, it didn’t answer one major question:
how do victims get infected?

The latest Kaspersky Lab research on this operation reveals that Epic is
the initial stage of the Turla victim infection mechanism.

The “Epic” project has been used since at least 2012, with the highest
volume of activity observed in January-February 2014. Most recently,
Kaspersky Lab detected this attack against one of its users on August 5,
2014.

Targets of “Epic” belong to the following categories: government
entities (Ministry of Interior, Ministry of Trade and Commerce, Ministry
of Foreign/External affairs, intelligence agencies), embassies,
military, research and education organizations and pharmaceutical
companies.

Most of the victims are located in the Middle East and Europe, however,
we observed victims in other regions as well, including in the USA. In
total, Kaspersky Lab experts counted several hundred victim IPs
distributed in more than 45 countries, with France at the top of the
list.

The attack. The Kaspersky Lab’s researchers discovered that the
Epic Turla attackers use zero-day exploits, social engineering and
watering hole techniques attacks to infect victims.

In the past, they used at least two zero-day exploits: one for
Escalation of Privileges (EoP) in Windows XP and Windows Server 2003
(CVE-2013-5065) which allows the Epic backdoor to achieve administrator
privileges on the system and run unrestricted; and an exploit in Adobe
Reader (CVE-2013-3346) that is used in malicious e-mail attachments.

Whenever an unsuspecting user opens a maliciously-crafted PDF file on
a vulnerable system, the machine will automatically get infected,
allowing the attacker to gain immediate and full control over the target
system.

The attackers use both direct spear-phishing e-mails and watering hole
attacks to infect victims. The attacks detected in this operation fall
into several different categories depending on the initial infection
vector used in compromising the victim:

● Watering hole attacks that rely on social engineering to trick the
user into running fake “Flash Player” malware installers

Watering holes are websites commonly visited by potential
victims. These websites are compromised in advance by the attackers and
injected to serve malicious code. Depending on the visitor’s IP address
(for instance, a government organization’s IP), the attackers serve Java
or browser exploits, signed fake Adobe Flash Player software or a fake
version of Microsoft Security Essentials. In total, we have observed
more than 100 injected websites. The choice of the websites reflects
specific interest of attackers. For example, many of infected Spanish
websites belong to local governments.

Once the user is infected, the Epic backdoor immediately connects to the
command-and-control (C&C) server to send a pack with the victim’s system
information. The backdoor is also known as “WorldCupSec”, “TadjMakhal”,
“Wipbot” or “Tadvig”.

Once a system is compromised, the attackers receive brief summary
information from the victim, and based on that, they deliver
pre-configured batch files containing a series of commands for
execution. In addition to these, the attackers upload custom lateral
movement tools. These include a specific keylogger tool, a RAR archiver
and standard utilities like a DNS query tool from Microsoft.

Turla’s first stage:

CIO, CTO & Developer Resources

During the analysis, Kaspersky Lab researchers observed the attackers
using the Epic malware to deploy a more sophisticated backdoor known as
the “Cobra/Carbon system”, also named “Pfinet” by some anti-virus
products. After some time, the attackers went further and used the Epic
implant to update the “Carbon” configuration file with a different set
of C&C servers. The unique knowledge to operate these two backdoors
indicates a clear and direct connection between each other.

“The configuration updates for the ‘Carbon system’ malware are
interesting, because this is another project from the Turla actor. This
indicates that we are dealing with a multi-stage infection that begins
with Epic Turla. The Epic Turla is used to gain a foothold and validate
the high profile victim. If the victim is interesting, it gets upgraded
to the full Turla Carbon system” explains Costin Raiu, Director of the
Global Research and Analysis Team at Kaspersky Lab.

Language usage:

The attackers behind Turla are clearly not native English speakers. They
commonly misspell words and expressions, such as:

Password it’s wrong!

File is not exists

File is exists for edit

There are other indications which provide a hint at the origin of the
attackers. For instance, some of the backdoors have been compiled on a
system with Russian language. Additionally, the internal name of one of
the Epic backdoors is "Zagruzchik.dll", which means "bootloader" or
"load program" in Russian.

Finally, the Epic mothership control panel sets the code page to 1251,
which is used for Cyrillic characters.

Links with other threat actors:

Interestingly, possible connections with different cyber-espionage
campaigns have been observed. In February 2014, Kaspersky Lab experts
observed that the threat actor known as Miniduke were using the same
web-shells to manage infected web servers as the Epic team did.

To learn more about the “Epic Turla” operation, please read the blog
post available at Securelist.com.

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint
protection solutions. The company is ranked among the world’s top four
vendors of security solutions for endpoint users*. Throughout its more
than 16-year history Kaspersky Lab has remained an innovator in IT
security and provides effective digital security solutions for large
enterprises, SMBs and consumers. Kaspersky Lab, with its holding company
registered in the United Kingdom, currently operates in almost 200
countries and territories across the globe, providing protection for
over 300 million users worldwide. Learn more at www.kaspersky.com.

* The company was rated fourth in the IDC rating Worldwide Endpoint
Security Revenue by Vendor, 2012. The rating was published in the IDC
report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor
Shares (IDC #242618, August 2013). The report ranked software vendors
according to earnings from sales of endpoint security solutions in 2012.

For the latest in-depth information on security threat issues and
trends, please visit:

Internet of Things (IoT) will be a hybrid ecosystem of diverse devices and sensors collaborating with operational and enterprise systems to create the next big application.
In their session at @ThingsExpo, Bramh Gupta, founder and CEO of robomq.io, and Fred Yatzeck, principal architect leading product development at robomq.io, will discuss how choosing the right middleware and integration strategy from the get-go will enable IoT solution developers to adapt and grow with the industry, while at the same time reduce Time to Market (TTM) by using plug and play capabilities offered by a robust I...

After making a doctor’s appointment via your mobile device, you receive a calendar invite. The day of your appointment, you get a reminder with the doctor’s location and contact information. As you enter the doctor’s exam room, the medical team is equipped with the latest tablet containing your medical history – he or she makes real time updates to your medical file. At the end of your visit, you receive an electronic prescription to your preferred pharmacy and can schedule your next appointment.

SYS-CON Events announced today that Solgenia will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
Solgenia is the global market leader in Cloud Collaboration and Cloud Infrastructure software solutions. Designed to “Bridge the Gap” between Personal and Professional Social, Mobile and Cloud user experiences, our solutions help large and medium-sized organizations dr...

While not quite mainstream yet, WebRTC is starting to gain ground with Carriers, Enterprises and Independent Software Vendors (ISV’s) alike. WebRTC makes it easy for developers to add audio and video communications into their applications by using Web browsers as their platform. But like any market, every customer engagement has unique requirements, as well as constraints. And of course, one size does not fit all.
In her session at WebRTC Summit, Dr. Natasha Tamaskar, Vice President, Head of Cloud and Mobile Strategy at GENBAND, will explore what is needed to take a real time communications ...

The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries.
DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing.
Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication.
Follow new article posts on Twitter at @MicroservicesE

SYS-CON Events announced today that Litmus Automation will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY.
Litmus Automation’s vision is to provide a solution for companies that are in a rush to embrace the disruptive Internet of Things technology and leverage it for real business challenges. Litmus Automation simplifies the complexity of connected devices applications with Loop, a secure and scalable cloud platform.

SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy.
Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Raspberry Pi, BeagleBone, Spark and Intel Edison. You will also get an overview of cloud technologies s...

Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices
Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...

The WebRTC Summit 2014 New York, to be held June 9-11, 2015, at the Javits Center in New York, NY, announces that its Call for Papers is open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 16th International Cloud Expo, @ThingsExpo, Big Data Expo, and DevOps Summit.

SOA Software has changed its name to Akana. With roots in Web Services and SOA Governance, Akana has established itself as a leader in API Management and is expanding into cloud integration as an alternative to the traditional heavyweight enterprise service bus (ESB). The company recently announced that it achieved more than 90% year-over-year growth. As Akana, the company now addresses the evolution and diversification of SOA, unifying security, management, and DevOps across SOA, APIs, microservices, and more.

Wearable technology was dominant at this year’s International Consumer Electronics Show (CES) , and MWC was no exception to this trend. New versions of favorites, such as the Samsung Gear (three new products were released: the Gear 2, the Gear 2 Neo and the Gear Fit), shared the limelight with new wearables like Pebble Time Steel (the new premium version of the company’s previously released smartwatch) and the LG Watch Urbane.
The most dramatic difference at MWC was an emphasis on presenting wearables as fashion accessories and moving away from the original clunky technology associated with t...

SYS-CON Events announced today that robomq.io will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY.
robomq.io is an interoperable and composable platform that connects any device to any application. It helps systems integrators and the solution providers build new and innovative products and service for industries requiring monitoring or intelligence from devices and sensors.

The list of ‘new paradigm’ technologies that now surrounds us appears to be at an all time high. From cloud computing and Big Data analytics to Bring Your Own Device (BYOD) and the Internet of Things (IoT), today we have to deal with what the industry likes to call ‘paradigm shifts’ at every level of IT.
This is disruption; of course, we understand that – change is almost always disruptive.

SYS-CON Events announced today that SafeLogic has been named “Bag Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY.
SafeLogic provides security products for applications in mobile and server/appliance environments. SafeLogic’s flagship product CryptoComply is a FIPS 140-2 validated cryptographic engine designed to secure data on servers, workstations, appliances, mobile devices, and in the Cloud.

GENBAND has announced that SageNet is leveraging the Nuvia platform to deliver Unified Communications as a Service (UCaaS) to its large base of retail and enterprise customers. Nuvia’s cloud-based solution provides SageNet’s customers with a full suite of business communications and collaboration tools.
Two large national SageNet retail customers have recently signed up to deploy the Nuvia platform and the company will continue to sell the service to new and existing customers. Nuvia’s capabilities include HD voice, video, multimedia messaging, mobility, conferencing, Web collaboration, deskt...

SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched.
@WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication.
@WebRTCSummit Blog can be bookmarked ▸ Here
@WebRTCSummit conference site can be bookmarked ▸ Here

SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY.
Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborate. Cisco and our partners are building the platform for the Internet of Everything by connecting the...

Temasys has announced senior management additions to its team. Joining are David Holloway as Vice President of Commercial and Nadine Yap as Vice President of Product.
Over the past 12 months Temasys has doubled in size as it adds new customers and expands the development of its Skylink platform. Skylink leads the charge to move WebRTC, traditionally seen as a desktop, browser based technology, to become a ubiquitous web communications technology on web and mobile, as well as Internet of Things compatible devices.

Docker is an excellent platform for organizations interested in running microservices. It offers portability and consistency between development and production environments, quick provisioning times, and a simple way to isolate services.
In his session at DevOps Summit at 16th Cloud Expo, Shannon Williams, co-founder of Rancher Labs, will walk through these and other benefits of using Docker to run microservices, and provide an overview of RancherOS, a minimalist distribution of Linux designed expressly to run Docker. He will also discuss Rancher, an orchestration and service discovery platf...

SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY.
Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.

SYS-CON Events announced today that WHOA.com, an ISO 27001 Certified secure cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY.
WHOA.com is a leader in next-generation, ISO 27001 Certified secure cloud solutions. WHOA.com offers a comprehensive portfolio of best-in-class cloud services for business including Infrastructure as a Service (IaaS), Secure Cloud Desktop, Cloud Storage, Disaster Recovery, Integrated Applications and Security.

OmniTI has expanded its services to help customers automate their processes to deliver high quality applications to market faster.
Consistent with its focus on IT agility and quality, OmniTI operates under DevOps principles, exploring the flow of value through the IT delivery process, identifying opportunities to eliminate waste, realign misaligned incentives, and open bottlenecks. OmniTI takes a unique, value-centric approach by plotting each opportunity in an effort-payoff quadrant, then working with customers to focus on initiatives with high payoff and low effort – using its deep bench of...

DevOps is all the rage these days and with good reason as it promises to reduce the time-to-market for new applications. It also promises to improve change management, allowing teams to deploy changes to their applications quickly and efficiently. However, DevOps isn’t something you buy, install, or implement; rather it is the symptom of an appropriate organizational system.
In his session at DevOps Summit, Mark Thiele, EVP, Data Center Technologies at SUPERNAP International, will discuss how to get to the right organizational model that will allow DevOps practices to flourish.

In recent years, we’ve watched mobile, cloud technologies and Internet of Things (IoT) enable increased connectivity for every network and every industry, ranging from connected cars to commercial vehicles and fleet management to smart cities to data centers. At MWC, it was clear that professionals in these areas are continuing to make strides in their fields. Below are a few of the major developments we noticed and look forward to hearing more as 2015 progresses.

When it comes to microservices there are myths and uncertainty about the journey ahead. Deploying a “Hello World” app on Docker is a long way from making microservices work in real enterprises with large applications, complex environments and existing organizational structures. February 19, 2015 10:00am PT / 1:00pm ET → 45 Minutes Join our four experts: Special host Gene Kim, Gary Gruver, Randy Shoup and XebiaLabs’ Andrew Phillips as they explore the realities of microservices in today’s IT world:

You deployed an app. Nothing has changed in three days, but it suddenly crashes. Why? Memory leak.
You deployed an app. Nothing has changed in three weeks, but it suddenly stops working. Why? A database query came back empty and the web application freaked out trying manipulate a null value, deciding instead to just stop in its track and return nothing.
You deployed a load balancing service. Nothing has changed in three months, but it suddenly stopped load balancing your app. Why? One of the ports on an intermediate switch decided to fry. Literally. It's a black hole and the load balancer ...

This month I want to revisit supporting infrastructure and datacenter environments. I have touched (some would say rant) upon this topic since my post in April 2014 called "Take a Holistic View of Support". My thoughts and views on this topic have not changed at all: it's critical for any organization to have a holistic, comprehensive strategy and view of how they support their IT infrastructure and datacenter environments. In fact, I believe it's even more critical today then it was a year ago when I wrote that blog post.
We work with many different organizations in many different types of i...

It's spring in the Northeast, and this week we're launching a new blog post series, "Everything You Want to Know about Windows Server 2003 Migration." Why a series of posts on WS2003? Even as summer and EOS is just months away, our "State of Readiness for Windows Server 2003 End of Support" survey reveals the shocking truth: most of you haven't done anything about remediation yet, and most will not complete your upgrades before the deadline.

Microservice architectures are the new hotness, even though they aren't really all that different (in principle) from the paradigm described by SOA (which is dead, or not dead, depending on whom you ask). One of the things this decompositional approach to application architecture does is encourage developers and operations (some might even say DevOps) to re-evaluate scaling strategies. In particular, the notion is forwarded that an application should be built to scale and then infrastructure should assist where necessary.

Keeping data from getting out into the wild or being damaged by cyber attackers is what keeps CISOs, the executive team and boards of directors up at night. To protect organizations, cybersecurity needs to be automated and real-time, it needs to learn contextually like we do and it needs to monitor every corner of the network in a way that organizations can afford without sacrificing coverage.

Even though it’s now Microservices Journal, long-time fans of SOA World Magazine can take comfort in the fact that the URL – soa.sys-con.com – remains unchanged. And that’s no mistake, as microservices are really nothing more than a new and improved take on the Service-Oriented Architecture (SOA) best practices we struggled to hammer out over the last decade. Skeptics, however, might say that this change is nothing more than an exercise in buzzword-hopping. SOA is passé, and now that people are talking about microservices instead, let’s switch out the terminology.

SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy.
Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Raspberry Pi, BeagleBone, Spark and Intel Edison. You will also get an overview of cloud technologies s...

While recently attending a Dynatrace User Group in Hartford, I had the opportunity to sit in on a great presentation from a leading US insurance company as they explained their three-year APM journey. I see a lot of these success stories, but this one was especially impressive. To see how they have refined their internal processes, successes and performance best practices to ensure delivery of high quality, high performing and highly scalable applications over these years.
The performance engineering group within the large US insurance company was the one that started adopting application per...

Right off the bat, Newman advises that we should "think of microservices as a specific approach for SOA in the same way that XP or Scrum are specific approaches for Agile Software development". These analogies are very interesting because my expectation was that microservices is a pattern. So I might infer that microservices is a set of process techniques as opposed to an architectural approach. Yet in the book, Newman clearly includes some elements of concept model and architecture as well as process and organization.

Microservices, for the uninitiated, are essentially the decomposition of applications into multiple services. This decomposition is often based on functional lines, with related functions being grouped together into a service. While this may sound a like SOA, it really isn't, especially given that SOA was an object-centered methodology that focused on creating services around "nouns" like customer and product. Microservices, while certainly capable of being noun-based, are just as likely to be verb-based, that is to say, based on a functional grouping like "login" or "checkout." SOA was essent...

The competition among public cloud providers is red hot, private cloud continues to grab increasing shares of IT budgets, and hybrid cloud strategies are beginning to conquer the enterprise IT world.

Big Data is driving dramatic leaps in resource requirements and capabilities, and now the Internet of Things promises an exponential leap in the size of the Internet and Worldwide Web.

The world of SDX now encompasses Software-Defined Data Centers (SDDCs) as the technology world prepares for the Zettabyte Age.

Add the key topics of WebRTC and DevOps into the mix, and you have three days of pure cloud computing that you simply cannot miss.

Cloud Expo - the world's most established event - offers a vast selection of 130+ technical and strategic Industry Keynotes, General Sessions, Breakout Sessions, and signature Power Panels. The exhibition floor features 100+ exhibitors offering specific solutions and comprehensive strategies. The floor also features two Demo Theaters that give delegates the opportunity to get even closer to the technology they want to see and the people who offer it.

Attend Cloud Expo. Craft your own custom experience. Learn the latest from the world's best technologists. Find the vendors you want and put them to the test.